__proto__ security

Andreas Rossberg rossberg at google.com
Fri Feb 10 04:08:02 PST 2012


On 10 February 2012 12:46, Tom Van Cutsem <tomvc.be at gmail.com> wrote:
> I'm also in favor of exposing __proto__ as an accessor on the grounds that
> it is least magical. I'm worried that the changes made here to the core
> internal methods [[Get]], [[Put]], [[DefineOwnProperty]] and [[Delete]] will
> give proxies a hard time to properly emulate this behavior if they would
> want to do that. How would a proxy handler be able to access the internal
> variable UnderscoreProtoEnabled?

I also agree that an accessor is much cleaner (if we really want to
spec this at all -- which will de facto make it a blessed feature
forever).

However, I'm not sure the proxy argument applies. Either way, it
seems, proxies cannot "simulate" the magic of __proto__ themselves,
because they have no control over the prototype they disclose anyway.
It can only work for proxies if the magic accessor (whether implicit
or explicit) transparently forwards the assignment to proxy targets.
No trap would be involved, just like there is no trap for getting the
prototype of a proxy.

I suppose the real question is: do we _want_ proxies to simulate this
in full gory glory? That would be blessing this (mis)feature even
more.

/Andreas


More information about the es-discuss mailing list